Thursday, June 11, 2015

From
Spanish news source "ElComercio" we bring you this phishing story -
about a Nigerian citizen arrested in Spain. Click the Spanish headline for the original story. A
Google-translate-assisted version of the story is shared below for the
convenience of our English-speaking readers with permission from Olaya!)

A 44 year-old Nigerian citizen was arrested locally for defrauding hundreds of people by using their bank details to make purchases online and then
resell these products on the black market. The National Police estimates that he gained more than 50,000 euros in this way.
The investigation began in September 2014 after receiving the first
reports of victims whose banking data had been used illegally for
various internet shopping portals.
Police work was arduous and complex, but eventually determine that all
the fraud in Spain was the work of a single author, but that he used different
identities and operated using WIFI connections in private homes, cafes and public spaces, thus trying to hinder their location.

After months of investigations, officers of the Economic Crime group of
the Brigade of Judicial Police Station Gijon found that the suspect had
fixed his residence in Gijon, "where he received shipments getting
their illicit activity," sources said the police station.

A job as a lure

"The person under investigation belonged to a criminal organization
operating transnational nature of the internet and dedicated to credit
card fraud and debit cards.
The network operated by credentials and numbers for bank cards
using different methods, from cloning, 'phishing' or 'hacking' of online data, "says the police.
After obtaining this data, the fraud is facilitated through servers and
private links to other members of the organization in exchange for
financial compensation.
The Nigerian resident in Gijon, allegedly, took this information and
using it, effected purchases of technological devices such as
televisions, tablets, laptops or mobile phones.
Each week they conducted three or four purchases of items using many
identities and facilitating different directions for collection, "but
always expecting the dealers on the street to avoid the reliable
verification of your address."
"Under the pretext of facilitating the work identified in the street
before the workers of delivery companies and so getting the immediate
delivery of the item, the cost would be charged to the person who had
fraudulently obtained card information» , reports the National Police.
All of the material obtained in this way coming back into the virtual
market since it was offering immediately in Internet-based ad pages to people
unaware of its illicit origin and not belonging to this criminal
network.
Despite all the precautions taken by the investigation to hide his true location, the officers managed to identify and establish a means for
his arrest.His precise location was noted when he was picking up one of his orders and he was taken to the police station.

The Europen Union's Judicial Cooperation Unit, EUROJUST, along with Europol's European Cybercrime Center (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) have announced one of their most successful cyber actions to date. The case, known internally as Operation Triangle, involves three lead agencies - Italy's Postal and Telecommunications Police through its office in Perugia, Spain's Investigative Court no. 24 in Barcelona, and Poland. (EUROJUST Press Release: "Eurojust and Europol in massive joint action against cybercriminals")

58 search warrants were executed in Spain, Poland, Italy, Belgium, Georgia, and the United Kingdom, resulting in 20 arrests in Italy, 18 arrests in Poland, 10 arrests in Spain, and 1 arrest in Belgium. Most of those arrested were from Nigeria and Cameroon.

By gaining control of the email accounts of well-placed individuals in corporations across Europe, the criminals were able to alter requests for payment to send the payments to themselves rather than the business bank accounts that were the intended destinations. In a short period of time, more than 6 million euros were transferred to accounts controlled by the criminals.

In the United Kingdom, where the J-CAT task force is headquartered, recent government reports indicated that 81% of large businesses (>250 employees) and 60% of small businesses (less than 50 employees) experienced an information security breach in 2013.

Next week, many European governments will be represented in the Octopus Conference 2015: Cooperation Against Cybercrime. Through the work of Octopus and others, European agencies are gradually coming into agreement on how to address multi-jurisdictional cybercrime. At last year's Octopus conference, delegates were encouraged to work together through 18 Cybercrime Scenarios. Fascinating puzzles that we NEED agreement on if we are truly going to stand a chance against the multi-national criminals who steal from our citizens.

UPDATE! La Stampa article --

For the convenience of my mostly English-speaking readers, I offer an English translation via Google Translate below. This article is available to the Italian reader by clicking the story headline in Italian:

Phishing Against Companies: 62 arrested in Italy and Abroad, International network dismantled: An operation that goes from Perugia to Turin and expands throughout Europe. Here's how the scammers did it.

Via "LaStampa" journalist Carola Frediani and Google Translate --

It all started with a payment of 33 thousand euro. A routine, a transfer made ​​by a company of the Venetian food, which through its Spanish subsidiary had paid a supplier. Or rather, what he thought to be a provider, not suspecting that behind the request for a change of code Iban which paid the money was concealed an organization dedicated to computer fraud to the detriment of businesses and recycling. He had before hacked supplier and now he was impersonating online through email. So that money, rather than to the real suppliers of the Veneto, end up on a postal account in Perugia made ​​out to a citizen of Cameroon.
Which in turn has contacts with a criminal group based in Turin,
specializes in money laundering and run by Nigerians, as revealed
recently in an investigation of Europol and the Guardia di Finanza
Piedmont.

Operation Phishing 2.0

This episode started then the footage of another Italian international investigation, codenamed Phishing 2.0, which has once again at the center of the fraud against companies, and this morning has resulted in 62 arrest warrants in various countries, including 29 issued by prosecutors in Perugia.
An investigation then born and coordinated in Perugia, bounced on Turin
had already been identified where a hub of illicit proceeds, and
extended between Italy, Spain and Poland, with the support of Europol
and Eurojust, the judicial cooperation unit of 'European Union.

The victims

Fifty (7 of which are Italian) companies all over the world were victims of digital fraud, 800 scam transfers were identified, 800 thousand euro taken away from businesses and recovered during the investigation, around 5 million euro estimate of the economic damage caused by the group in its business that dates back to 2012. The offenses: unauthorized access to computer systems, impersonation, aggravated fraud, and receiving stolen property.

How did it work

The mechanism of the scam started with a series of computer intrusions in the mailboxes of the companies targeted - characterized by having many foreign relations - through an advanced form of phishing, a technique that consists of sending email fake trying to trick the recipient, and then infect and / or [carpirgli] information.
After obtaining the credentials of the emails of employees of a
company, cybercriminals were monitoring the exchange of mail identifying
commercial relationships, creditors and debtors; then they sent an email to the debtor to turn communicating a change of Iban [online payment destination address?]. Iban that actually corresponded to an account managed by a member of the organization.To manage the assets of phishing was a network of Nigerians, Cameroonians and Senegalese, some of whom were residents in Italy.
Once at the bank, also on many giro Italian, the money were taken
quickly and redistributed abroad through various systems, including
money transfer. "There was a division of roles," he told La Stampa Anna Lisa Lillini, assistant chief of the police post Umbrian added. "Who identified the victims took 50 percent of the amount; who was offering the bill received 30%; and the mediator that the hacker got in touch and took the 20%. " The amount stolen went from 800 up to 250 thousand euro. "In one case we have intercepted one wire of 300 thousand euro from America to Turin," explains Lillini.

Between Umbria and Piedmont

Turin made ​​from recycling center, and here the investigation Perugia converges with what we previously reported from Turin, [LaStampa's article "Nigerian Drops: Women and Companies Cheated Online"] .
In that system, the money stolen from the companies were sent to other
parties, with dozens of credit transfers and of people involved, up to a
stage where cash was taken piecemeal. A branched system, which were scattered in many streams ([ribattezzatto] precisely Nigerian Drops by investigators) and that has been traced through some specific analysis tools used by Europol. "In one case, one person has taken 150 thousand euro in eight hours making dozens of drops in different branches," says La Stampa Captain David Giangiorgi of the Financial Police of Turin. "The fraud was perpetrated by persons residing in Nigeria. The money was sent in the form of assets purchased with the proceeds of the scam and then shipped to the African country. "

A growing phenomenon

This kind of scams are increasingly common.
"Just this week, carrying out a survey of defense on behalf of an
Italian company that had lost many thousands of euro through a similar
system, we were able to triangulate who had sent the phishing emails,
and these seem to come just from Lagos (Nigeria) ", explains Paolo Dal Checco, the Turin studio of computer forensics, Digital Forensics Bureau (Di. Fo. B) that has long followed precisely such cases. The interesting aspect is that the story in question fraudsters had been in touch with the company through Skype, as well as email. And through the program of VoIP (and with some tracking systems of the email), computer forensic experts have identified the IP address of the interlocutors. "By now using increasingly sophisticated techniques," says Dal Checco. "In some cases they go even to call pretending to be a creditor of the company contacted."

UPDATE #2 -- The News from Spain

The Spanish National Police have also released information about this
case, in their press release of June 10, 2015. As with the Italian
article above, click the Spanish headline below for the original
article. For the convenience of English-speaking readers, we share a
Google-translate-assisted version below:

Joint operation of the National Police, NCA and the British Police in Italy and Belgium, coordinated by Europol and EurojustThere
are 49 detainees -10 of them in Spain and there have been 28 homes in
which 9,000 euros have been seized along with laptops, hard disks, phones, tablets,
credit cards and extensive documentation on the activities of the
network.Those
arrested by means of intrusion techniques and social engineering, were able to control corporate email accounts and to interfere in international
financial transactions between different companies and thus were able to modify the target bank accounts and thus appropriating money illegally

National Police agents have participated in a simultaneous operation
conducted in Spain, Italy, Belgium and Poland against a network of cyber
fraud.
In this joint operation coordinated by Europol and Eurojust also they
participated British NCA agents and police in Italy and Belgium.
There are 49 detainees -10 of them in Spain and there have been 28
homes in which 9,000 euros have been seized laptops, hard disks, phones,
tablets, credit cards and extensive documentation on the activities of
the network.
Those arrested by intrusion techniques and social engineering, were
made to the control of corporate email accounts to interfere in
international financial transactions between different companies. Thus they managed to change the target bank accounts and thus appropriate the money illegally.
The international coordination was established effectively through
Europol headquarters in The Hague and link to cybercrime agent of the
National Police.
In this way it has enabled the operation has been developed jointly and
simultaneously in all countries where they lived active members of the
criminal structure dismantled. It also has received support personnel and Europol mobile office moved to places where it has intervened.Modus operandi
The cyber attack used by this criminal group is called
man-in-the-middle, which is to control email accounts, in the case of
medium and large European companies.
The members of the network were reviewing the messages sent and
received from corporate accounts to detect requests for payment. Then modified the messages for payments were transferred to bank accounts controlled by the criminal group. These payments were charged by the criminal organization immediately through different means.
The investigation, originating mainly from Nigeria, Cameroon and Spain,
then transferred the money out of the European Union through a
sophisticated network of money laundering transactions. The investigation culminated with the arrest of 49 people in Spain (10), Italy, Belgium and Poland.
In addition there have been 28 homes, 8 in Spain, 2 in the UK and 18 in
Italy, where agents have seized 9,000 euros in cash (5000 in Italy and
4000 in Spain), laptops, hard drives, mobile tablets, credit cards and
extensive documentation on the activities of the network.
The operation was carried out by officers of the Unit for Technological
Research and the Police Headquarters of Catalonia of the National
Police, the Italian Polizia di Stato, the Polish National Police and the
British National Crime Agency.

UPDATE #3 -- The News From Poland

The Polish National Police have also issued a press release about the arrests made in Poland. Click the Polish language headline below for the original article. A Google-translate assisted version follows for the benefit of our English-speaking readers. (stills from video http://cbsp.policja.pl/dokumenty/zalaczniki/3/3-165386.mp4 )

(International Operation of Europol and Eurojust - a Total of 49 Criminals Arrested)

Officers
Coordination Team Central Bureau of Investigation Police and Border
Guard as well as police officers Municipal Police Headquarters in Krakow
and the Department for Combating Cybercrime Regional Police
Headquarters in Krakow, acting under the supervision of Appellate
Prosecutor's Office in Krakow together with the police and law
enforcement authorities from Italy and Spain, with collaboration with
investigators from Belgium, Georgia and the UK and support of Europol
and Eurojust, figured out an international organized criminal group,
engaged in money laundering, originating, inter alia from phishing attacks carried out against citizens of European countries. On the Polish territory had been detained this matter for a total of 18 people.On June 9th and 10th, Europol and Eurojust conducted an international action against cyber criminals. A total of 49 suspects have been detained. The activities were also conducted in Poland.
Yesterday, in the province of Malopolska police activity was carried
out in this case, one of the most important leading to the
arrest of five people, including the man who organized criminal dealings on
Polish territory. The Central Investigation Bureau Police seized more than 160 thousand from phishing. In total, the Polish were detained in that case 18 people.
According to estimates investigators, members of criminal group could
"launder" a total of over 7.7 million (this amount coming only from the
crimes committed in our country). Detained charges of fraud, money laundering and participation in an organized criminal group. On account of the suspect threatened penalties and fines secured property value of 1.8 million.
Results of "Operation Triangle" are the result of large-scale
investigations carried out in Italy, Spain and Poland (Central Bureau of
Investigation Police Department with the participation of cybercrime
Police Headquarters in Krakow under the supervision of Appellate
Prosecutor's Office in Krakow). The aim was to break organized crime groups engaged in phishing on the Internet. These types of crimes are carried out by specialized criminals who use the Internet to commit fraud. In addition criminals from exploiting cyberspace to "laundering" of money, proceeds of crime. In this way, embezzlement made substantial amounts of money from victims throughout Europe. In parallel, the investigation showed the existence of international fraud on a massive scale, extortion million in short time.
The suspects, mainly from Nigeria and Cameroon, upload illegal profits
outside the European Union through a complex network of transactions
related to money laundering.
In preparation for the run yesterday and today operations, Eurojust
coordinated the gathering of information from various law enforcement
agencies, as well as organized several coordination meetings with
representatives of national authorities from Italy, Spain, Polish,
Belgium and Great Britain.
With all these joint efforts, coordination center was established who
carried out the operation with the support Team. Analysis Affairs
Eurojust, the European Centre for the fight against Cybercrime Europol
(EC3) and the Joint Task d. Cybercrime (JCAT) - a new European institution created to assist investigations to combat cybercrime.
Joint action brought excellent results, while she realized that joining
forces selected EU agencies and national authorities can successfully
contribute to the fight against one of the most difficult to detect
forms of contemporary crime.
Teresa-Angela Camelio, National Assistant Representative of Italy to
Eurojust, commented: "Eurojust played a key role in promoting the
agendas of EU efforts in combating this type of crime, which requires
knowledge, cooperation and coordination between all involved national
and international actors. The results of the two-day operation are a clear signal to criminals that they will be prosecuted in every jurisdiction. "
Phishing on the Internet: This type of cybercrime, carried out by
organized criminal groups, depends on gaining access to passwords and
names (nicknames) of users for illegal activities.
Criminals replace respective owners information through "phishing"
their data and thereby gain access to their accounts, which means access
to the money the victims and their customers. Credentials obtained in this way by organized criminal groups hurts many
Internet clients, while generating billions of euros of profits for
organized crime groups.